MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8
SHA3-384 hash: 15f84f10098474f2e6c119326ba06e513fcb1423eeb585bfe7b32aca38e7253a733e987023e51d85349b9da3f159cc61
SHA1 hash: 63caafaae69081882da379556b17a2b21dd96963
MD5 hash: 7042ee1bdb66342f4f19304fff77d08b
humanhash: massachusetts-pennsylvania-hydrogen-pluto
File name:hsy_utu8_12u_v4.4.7.0 (4).dll
Download: download sample
Signature Dridex
Create hunting rule
File size:177'664 bytes
First seen:2021-07-27 07:47:56 UTC
Last seen:2021-07-27 08:46:11 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 89aebe8644a760ddbd7c2e801228e7e5 (7 x Dridex)
ssdeep 3072:CDNLuxQI4JTJlYDFS6t2NAgEaakq7MCi6TM7EANfFln:CD5PB3ot2ygEasni6TM7EAN
Threatray 4'665 similar samples on MalwareBazaar
TLSH T10804D161DBE759C5D7A3C57ACC8CA17BD1293C0B8A6CD2BC6208D2CC897AF0CC5A4D95
Reporter JAMESWT_WT
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174258/
Detection(s):
SecuriteInfo.com.Variant.Graftor.972231.5200.7846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3563e6d3-188f-4d0f-b8de-76d734be5012
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/822174
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found PHP interpreter
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 06:54:40 UTC
File Type:
PE (Dll)
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
Dridex
1a560adb810b924e65f91e34664166be2c2adac10f7f28c075d902e4adb1112c
Dridex
4fc754bd7957493e0b8e127e22cb4599f9ad57d8a581087cd697ae9ee90e6d55
Dridex
55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
Dridex
80012d65f11c6481e6e98a03016f5a69ed2ae210af24d810b7ce562318a9b116
Dridex
9f1ca49e69173b3b5df37bbb48f17ce6ad857f4acbb0261f3306c9b1d2232d19
Dridex
a51b5bab04a5b0f549dd27851e83550a47cd38abd109ee24bc1d96aae089d25c
Dridex
ac3cc428096079fe4572b77a4382eb28b48f7d30279adce3ba69a51f42fe1bd4
Dridex
cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
Dridex
e26c7e7c111e41d766ab313e1c4c0f17cbc9710aee23248b017735caf97f2a0e
Dridex
+ 4'655 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22202 botnet evasion loader trojan
Link:
https://tria.ge/reports/210727-38jl2s61zs/
Behaviour
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Unpacked files
SH256 hash:
cdcc9b729ed60a4954aadb5b020f84054a488fb6f5591616473415109fe1d9ae
MD5 hash:
0e433b8a675c3f07d53132a88baebf40
SHA1 hash:
4f12d2600db3bfd850ff80f282d2ab2e724440ce
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/16a0c2a8-5d25-4923-8bf3-7a8277a8b454/
Parent samples :
cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8
00072be4185289677e5babb9fda5279b5c2886683ebd7ea22d36f4bc9683b3e5
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d
581305130377c5a6cc8fe10f6e698758da36cfd857981dbb1da867f202429653
SH256 hash:
f61105d04cd95b2b05365c65619a60f939047a5e35574f0393398c1ec7e03072
MD5 hash:
3e2594b49caf4515028c8d7db7b39994
SHA1 hash:
117003b6a458f0ae6ad9f49d7203a3a5b5885434
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/16a0c2a8-5d25-4923-8bf3-7a8277a8b454/
SH256 hash:
cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8
MD5 hash:
7042ee1bdb66342f4f19304fff77d08b
SHA1 hash:
63caafaae69081882da379556b17a2b21dd96963
Link:
https://www.unpac.me/results/16a0c2a8-5d25-4923-8bf3-7a8277a8b454/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/174258/
  
URLhaus
https://urlhaus.abuse.ch/url/1484149/
  
Delivery method
Distributed via web download

Comments